Exadata After-Patching Action Every time after Oracle engineers patch Exadata, security may be unduely tightened, and some settings are incorrectly put in place. Correct them as follows. * To allow non-root user to view useful messages # chmod o+r /var/log/messages* /var/log/maillog* * To allow non-root user to run `last' # chmod o+r /var/log/wtmp * To not time out session # vi /etc/ssh/sshd_config #comment out these two lines ClientAliveInterval 600 ClientAliveCountMax 3 # systemctl restart sshd # vi /etc/profile #comment out this line TMOUT=14400 Also, make sure your own ~/.bash_profile doesn't have TMOUT environment variable set. * To solve the error "You (oracle) are not allowed to use this program (crontab)" #vi /etc/cron.allow #add oracle * To solve the error "error: Could not load host key: /etc/ssh/ssh_host_dsa_key" Make sure /etc/ssh/ssh_host_rsa_key is not 0 in size (it's OK to not have ssh_host_dsa_key and ssh_host_dsa_key.disabled exists) # vi /etc/ssh/sshd_config #uncomment this line HostKey /etc/ssh/ssh_host_rsa_key # systemctl restart sshd * To solve the error "Ignoring invalid environment assignment 'export SSH_USE_STRONG_RNG=0': /etc/sysconfig/sshd" in /var/log/messages # vi /etc/sysconfig/sshd #remove "export " from this line export SSH_USE_STRONG_RNG=0 # systemctl restart sshd * To allow FUSE (Filesystem in Userspace) such as DBFS to mount #vi /etc/fuse.conf #uncomment user_allow_other ---------------------------------------------------------------------------------------------------- Other changes * Check /etc/oratab. Make sure +ASM1, +ASM2, etc. still exist. If there're new lines added for running instances but without instance numbers (e.g. mydb instead of mydb1 on node 1), you may delete them. * Check use_large_pages in +ASM* instance. Make sure it's false, otherwise the ASM instance would use HugePages (since it's started before RDBMS instances). * If you use Tivoli client for tape backup, make sure it still works.